56569

How to include CKFinder2 to the php page with SESSION security?

Question:

I try to include the CKFinder to my web site on PHP. I found official docs:

<?php $_SESSION['IsAuthorized'] = TRUE; // simple user authorized $finder = new \CKFinder(); $finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/'; $finder->Create();

But for it work I need to make changes in config.php file:

<?php session_start(); /** * This function must check the user session to be sure that he/she is * authorized to upload and access files in the File Browser. * * @return boolean */ function CheckAuthentication() { // WARNING : DO NOT simply return "true". By doing so, you are allowing // "anyone" to upload and list the files in your server. You must implement // some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the // user logs in your system. To be able to use session variables don't // forget to add session_start() at the top of this file. return FALSE; } // other code...

And I don't want simply return TRUE for security reasons, I want to use SESSION. But the problem is that I can't to do this, because $finder->Create(); method return HTML code that openning in a the IFRAME ckfinder.html page directly, so session in my framework and session in CKFinder is different and return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return FALSE! So my question is:

How can I pass session with user auth from my framework to the CKFinder and to do security validation in it for authorized user? Thanks very much for help!

Answer1:

For secure CKFinder, you need to add to the action:

$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder

And then modify the config.php file of CKFinder with next code:

function CheckAuthentication() { session_start(); $status = FALSE; $file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id(); if (file_exists($file)) { $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file)); } if ( ! $status) { $file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id(); if (file_exists($file)) { $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file)); } } return $status; // WARNING : DO NOT simply return "true". By doing so, you are allowing // "anyone" to upload and list the files in your server. You must implement // some kind of session validation here. Even something very simple as... // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the // user logs in your system. To be able to use session variables don't // forget to add session_start() at the top of this file. return false; }

Original post <a href="http://web.brainforce.kiev.ua/node/35" rel="nofollow">here</a>

Recommend

  • Cannot run another ajax while long polling?
  • PHP $_SESSION problem
  • Unable to display image from MySQL table
  • PHP PDF generation problem
  • How can I restyle a word when rendering a pdf with pdf.js?
  • what makes a request a new request in asp.net C#
  • SQLite connection strategies
  • perl, mysql - fasting way to upload a csv file into mysql?
  • System.InvalidCastException: Specified cast is not valid
  • How can I extract results of aggregate queries in slick?
  • azure media services - The request body is too large and exceeds the maximum permissible limit
  • Read a local file using javascript
  • Debugging ASP.NET on a built-in web server suddenly stops
  • Apache 2.4 and php-fpm does not trigger apache http basic auth for php pages
  • Sending data from AppleScript to FileMaker records
  • Running a C# exe file
  • Symfony2: How to get request parameter
  • Google cloud sdk not working when python points python3
  • Why winpcap requires both .lib and .dll to run?
  • Apache 2.4 - remove | delete | uninstall
  • Invalid access key error using credentials redeemed from an amazon open id token
  • Circular dependency while pushing http interceptor
  • jqPlot EnhancedLegendRenderer plugin does not toggle series for Pie charts
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • How do I rollback to a specific git commit
  • Is there a mandatory requirement to switch app.yaml?
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • InvalidAuthenticityToken between subdomains when logging in with Rails app
  • Unit Testing MVC Web Application in Visual Studio and Problem with QTAgent
  • Benchmarking RAM performance - UWP and C#
  • Load html files in TinyMce
  • How can I get HTML syntax highlighting in my editor for CakePHP?
  • coudnt use logback because of log4j
  • Django query for large number of relationships
  • Busy indicator not showing up in wpf window [duplicate]
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • Why is Django giving me: 'first_name' is an invalid keyword argument for this function?
  • How can I use `wmic` in a Windows PE script?
  • UserPrincipal.Current returns apppool on IIS
  • How to push additional view controllers onto NavigationController but keep the TabBar?